NameCheap website on the monitor showing Namecheap email used for phishing emails

Namecheap Email System Hacked to Send DHL and Metamask Phishing Emails

Hackers compromised the Namecheap email system to send MetaMask and DHL phishing emails targeting customers’ personal and crypto wallet information.

On February 13, 2023, hackers sent fake DHL delivery status notification emails requesting victims to pay delivery fees to prevent their parcels from being returned. They also impersonated the self-hosted wallet provider MetaMask and requested the victims to complete the KYC (Know Your Customer) verification process to avoid losing access to their crypto wallets.

The MetaMask phishing emails included a link (https://links.namecheap.com/) that redirected the victims to a phishing page requesting the victims’ “Secret Recovery Phrase” or “Private key” that hackers could use to take over their wallets.

Twilio denies responsibility for the Namecheap email hack

Namecheap initially blamed a third-party marketing email provider for the breach that allowed hackers to send seemingly-legitimate emails from Namecheap’s account.

“We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you,” the domain registrar said in a statement.

Without directly apportioning blame, Namecheap CEO Richard Kirkendall disclosed that the company uses Twilio’s marketing email system SendGrid to communicate with its customers.

Kirkendall also suggested that the Namecheap email breach likely originated from the MailChimp, SendGrid, and Mailgun API leaks that affected over 54 million users. The leaked keys could allow hackers to send phishing emails, delete API keys, and manipulate two-factor authentication.

“Gaining access to a legitimate email account to send out phishing emails is a goldmine for criminals,” said Javvad Malik, lead awareness advocate at KnowBe4. “In the past, we’ve seen the likes of Mailchimp being breached and used to send out phishing emails.”

According to Malik, sending malicious emails from reputable sources allows them to reach the victims’ inboxes because they are whitelisted to bypass gateway filters.

Although the phishing emails had SendGrid headers, Twilio vehemently denied being the source of the Namecheap email hack. Instead, the cloud-based CPaaS provider recommended a “multi-prong approach” to protect accounts and combat phishing attacks, including two-factor authentication, IP access management, and domain-based messaging.

Meanwhile, Namecheap deactivated all SendGrid emails, including code delivery, two-factor authentication, device verification, and password reset requests, and also deactivated the phishing link embedded in the phishing emails.

Additionally, the Phoenix, Arizona-based domain registration and hosting company assured its customers that the Namecheap email hack did not jeopardize customers’ products or account information.

“We would like to assure you that Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.”

MetaMask also alerted its customers of the hacked Namecheap email system, urging them to avoid clicking on the phishing emails. Additionally, the self-custodial wallet provider reminded users that it does not collect KYC information or send account-related information via email.

Hackers accessed Namecheap’s newsletter list to send phishing emails

Namecheap’s investigation concluded that hackers accessed its “newsletter list containing customers’ names and email addresses” to send phishing emails. Subsequently, the domain registrar took “full responsibility” for the Namecheap email hack, adding that any customer information disclosure was regrettable.

“We take any disclosure of customer information seriously and take full responsibility for this incident and are committed to ensuring that the safety and privacy of our customers are upheld in every way possible now and in the future,” said Namecheap.

According to Dror Liwer, co-founder of cybersecurity company Coro, the Namecheap email hack demonstrated the need for account takeover controls on all platforms an organization uses: “Defense against phishing is normally only considered on the recipient’s end. But now, with Business Email Compromise (BEC) becoming more and more prevalent, like in this case, it is just as important to protect at the source, and prevent account takeovers which can result in much more deceptive phishing attacks.”